While shoppers were off searching for the best Black Friday deals the day after Thanksgiving, users of Blackbook, commonly considered the "Facebook of Tor," were in for a shock when their regular login screen was replaced with an ominous image and a message alerting users that Blackbook had been hacked, and that their personal information, credentials, and private messages had suddenly been made public.

Figure 1 - Hacked Blackbook landing page (24 November 2017)

Blackbook hacked

Blackbook, a once fully-functioning and popular darknet social media website, had been compromised. The site was replaced with a single link to a file, which contained the entire content of the darknet social media site’s database.

The leaked file included several paste locations where the entire contents of the site had been archived in a 24MB file along with the site administrator username, email address, and password and the contents of SQL user database of some 15,893 user emails and a corresponding custom-hashed password.

Because Blackbook required an email address upon account registration, 7,298 of those users created their profile using legitimate email addresses from providers such as Google, Yahoo, and Microsoft when they likely should have used an anonymous email provider such as SecMail or entered a fake email account instead.

This is not the first time Tor’s Blackbook has been hacked as hidden services such as these are often a prime target for hackers. Blackbook has the same look and feel to the Clearnet’s Facebook: containing a news feed, polls, user pages with interactive “likeable” posts to the wall with an advertisement bar on the right hand side. Because it is hosted on Tor, the subject matter tends to differ quite a bit from that of traditional Facebook, with advertisements ranging from financial and hacking services to hitmen. Similar to other Tor social media sites, a common question posted to most account timelines is, “How do I hack [insert social media site here]?”.

Figure 2 Blackbook Login Screen

The downloadable zip archive included additional site details including the bash command history of the server, password file, theme data for the user interface, instant messages, and emails shared on the site. Leaked messages ranged from “do you know how to use PGP?” to “looking to put together a pedo hunter group for profit. i could use your skills.”

Blackbook refugees in IRC and Tor chatrooms have suggested that the popular Tor social media site was targeted by hackers because of the excessive posting of illicit content involving children, and the lack of effort by the administration restricting such content. However, further analysis suggests that the hacker does not specifically target related hidden services and websites that are also known for distributing such content.

So, who is the hacker known as bRpsd?

The alias bRpsd has been active on Tor and in the hacking circles for the last 5 years or so. The self-described ethical white hacker is most well known for targeting and taking down the controversial hitman hidden service, Besa Mafia in 2016, which was believed to be linked to the Albanian Mafia. The breached data, which bRpsd posted to various file storage sites (like he did with the Blackbook database) ended up providing evidence in a case the FBI was developing to convict a Minnesotan man for arranging for the murder of his wife for somewhere between 10,000 and 15,000 USD.

Figure 3 The Former Besa Mafia Hidden Services Site, brought down by bRpsd

Note: An SQL injection is an attack technique that exploits a security vulnerability occurring in the database layer of an application. Hackers use injections of malicious SQL statements to obtain unauthorized access to the underlying data, structure, and Relational Database Management System. It is one of the most common web application vulnerabilities

Earlier this year, bRpsd defaced the commercial website kanwall.com with similar branding, but this time including the words, “UAE Hackers Own You.”

This suggests a possible country of origin for the infamous hacker, whose portfolio includes leaking the user database of a Brazilian concert ticking website, defacing a handful of YouTube channels, and contributing to various (seeming random) Windows exploits archives websites on the Clearnet.

DarkOwl Vision returned a Tor Hidden Service from 2016 listing over three dozen sites credited to the Blackbook hacker who appears to favor SQL injection for their server breach methodology.

The hacker bRpsd also signs his work with the Skype username: vegnox and email CY@Live.no. His leaks often include notes which are sometimes comical and provide insight into his motivation for targeting the site. Some notes refer to the less than stellar security the server administrator has in place, while others are directly insulting, like the note included in a data breach from www.ibchan.com:

Figure 4 DarkOwl Vision Result for bRpsd

Title: IBChan Leak

Target: www.ibchan.com

Date: July 25, 2016

Author: bRpsd

Skype: vegnox

Note => The website is lame + all the celeb "nude" and what so-called "fappening 2nd leak" is fake .. they have nothing at all. -- Administrator -- admin username: ibchan

Another ghostbin post, dated June 2016, indicated bRpsd had successfully breached wtspy.com, a WhatsApp spy monitoring application. Compromised data included administrative data such as IP addresses, emails and passwords, server data, payment data for clients in addition to their personally identifiable information such as phone numbers and email addresses.

These examples and the milw0rm hack descriptions from 2016 suggest bRpsd is pretty indiscriminate on target selection.

Figure 5 https://ghostbin.com/paste/mxxnj

Another hacked site, www.woodchasedental.com links the hacker bRpsd to the Middle East, as the main page has the same banner as other bRpsd's other hackings. But, instead of a sinister image in the center, this site links to a YouTube video published in 2012 with Quranic scriptures sung in Arabic.

Figure 6 Another Hacked Site: www.woodchasedental.com

While there is no direct quantifiable evidence linking bRpsd to the UAE or any other specific hacking organization in the Middle East, an older post from 2015 on the Clearnet hacking site, Exploit4Arab.org (image below) intimates that bRpsd has a less than favorable opinion on Iranians with the comment outside his Skype address.

The UAE politically has been a supporter of western policy against Iran and their nuclear programs since the early 2000s.

Given the breadth of the attacks bRpsd has claimed responsibility for over the past two years alone, we doubt the Blackbook attack will be the last of their projects. And, while posts on hacking forums across the darknet and Clearnet suggest that bRpsd is a lonewolf Middle Eastern cyber vigilante, who’s to say there's not a team behind each Hacked by bRpsd~! banner with a larger security agenda in mind?

DarkOwl Vision will continue to capture breaches and actions by threat actors such as these to monitor the evolution and shape of the darknet.